Azure Generic IPv6 Proxy
You can find the repository on GitLab.
If you want to support IPv6 for your web application, but your infrastructure only supports IPv4, you can use this self-hosted proxy to accept IPv6 traffic and proxy it to your IPv4-only backend.
It supports HTTP and HTTPS. With HTTPS, it will do TLS passthrough, so it will just forward encrypted data. This proxy cannot read encrypted data, because it does not have the private key of the certificate used. SNI is not supported, so you cannot route to another backend based on hostname.
The proxy VM is an ordinary VM with two IP addresses: one IPv6 (for incoming traffic) and one IPv4 (for communication with the backend). It uses HAProxy.
This module can also create the AAAA DNS record if you host your DNS zone in Azure DNS. Make sure to enable it. If you host your DNS zone somewhere else, make sure you don’t forget to create the record for your domain(s) and point it to the public IPv6 address of this proxy. This module reserves a public IPv6 address and shows that in its output.
This Terraform module is easy to use (see examples/ directory) and will deploy the IPv6 proxy to it can be used like this:
If you want to make this solution highly available, consider moving to a VM scale set and adding a TCP IPv6 load balancer in front of that scale set.
Requirements
No requirements.
Providers
| Name | Version |
|---|---|
| azurerm | n/a |
Modules
| Name | Source | Version |
|---|---|---|
| networking | ./modules/networking | n/a |
| virtual_machine | ./modules/virtual-machine | n/a |
Resources
| Name | Type |
|---|---|
| azurerm_resource_group.default | resource |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| backend_ips | The IPv4 addresses of the backend(s). | list(string) |
n/a | yes |
| create_dns_record | Create an AAAA DNS record for the proxy. | bool |
false |
no |
| dns_name | The name (hostname) of the DNS record, can be a wildcard using *. |
string |
"" |
no |
| dns_zone_name | The name of the DNS zone to create the AAAA record in. | string |
"" |
no |
| dns_zone_resource_group_name | The name of the resource group of the DNS zone to create the AAAA record in. | string |
"" |
no |
| location | The name of the Azure region to deploy the resources in. | string |
n/a | yes |
| nsg_name | The name of the network security group. | string |
"nsg-ipv6-proxy" |
no |
| public_ip_zones | The zones to use for the public IP addresses. | list(number) |
[ |
no |
| public_ipv4_address_name | The name of the public IPv4 address to reserve. | string |
"pip-ipv6-proxy-ipv4" |
no |
| public_ipv6_address_name | The name of the public IPv6 address to reserve. | string |
"pip-ipv6-proxy-ipv6" |
no |
| resource_group_name | The name of the new Azure resource group. | string |
n/a | yes |
| subnet_address_prefixes | The private address prefixes of the subnet in the virtual network, including both IPv4 and IPv6. Should be in het subnet address range. IPv6 should be at least of size /64 |
list(string) |
[ |
no |
| subnet_name | The name of the subnet in the virtual network. | string |
"snet-ipv6-proxy" |
no |
| vm_name | The name of the virtual machine. | string |
"ipv6-proxy" |
no |
| vm_size | The size for the virtual machine. | string |
"Standard_B1ms" |
no |
| vnet_address_space | The private address space of the virtual network, including both IPv4 and IPv6. IPv6 should be at least of size /48 |
list(string) |
[ |
no |
| vnet_name | The name of the virtual network. | string |
"vnet-ipv6-proxy" |
no |
| whitelisted_ips | List of IP addresses (or ranges) that should be able to access the VM over port 22. | list(string) |
n/a | no |
Outputs
| Name | Description |
|---|---|
| public_ipv6_address | The public (external) IPv6 address of the proxy. This is the address you should set your AAAA-record to. |